Sure, pass-phrases can often be used in existing password fields, but is that the ideal UI design? Can we do a better job of guiding users when this is the only (or just preferred) method, especially when creating? When entering the passphrases, should we consider showing the spaces in between the blocked out letters (a no-no in traditional password field, but might be worth the minor security tradeoff to help the user keep track of where they are in a long textfield)?

What are some model examples and/or recommended practices for UI's optimized for pass-phrases?

Why would a passphrase input need a different control? It's still a text input and it should still be hidden from view in most cases. The benefit of passphrase systems is that they work in a password field, assuming the field doesn't have pants-on-head-stupid password rules.
–
Ben Brocka♦Jan 25 '12 at 22:22

Passphrases are longer in general than passwords, so you might want to take that into account when designing your forms.
–
Rahul♦Jan 25 '12 at 22:30

1

@Ben Brocka, they can be used in existing password fields, but is that the ideal UI design? Can we do a better job of guiding users when this is the only (or just preferred) method, especially when creating? When entering the passphrases, should we consider showing the spaces in between the blocked out letters (a no-no in traditional password field, but might be worth the minor security tradeoff to help the user keep track of where they are in a long textfield)?
–
peteorpeterJan 25 '12 at 22:54

Could you add those questions you just asked @Ben to your actual question? It will help get you (better) answers.
–
Marjan VenemaJan 26 '12 at 8:45

1 Answer
1

The most important thing is less the UI elements like the form, but the copy you use to present the idea of the passphrase. When the user signs up, explain the idea of a passphrase simply and give them the benefits:

It's Secure: Harder to steal than a short, complex password.

Easy to remember: It's just like a sentence, but secret.

Don't overwhelm them with technobable. Write your copy using benefits first and have a short follow up explaining why you get the benefit. If you say you have RSA 512 security most people won't know what that means. If you say you have Bank Level Encryption: AES 256 you let everyone know the benefits, but you list the technical detail so that unconvinced or technical users can check your facts. Find some good resources on Passphrase creation and security; summarize their points and link users to them.

Give them some tips about passphrase generation; tell them to make it long but easy to remember. A full sentence using proper nouns, especially from fiction. Dictionary words are risky but can be included in a successful passphrase to make it make sense.

I'd almost suggest showing them this comic:

But that would likely end up in "correct horse battery staple" being your most common password after "password".

Consider a password strength analyzer like How Secure is my Password shows, explaining the password's strength in understandable terms:

Showing the spaces seems like a novel idea, assuming the password input area were long enough. Traditional password fields are very short, and length is generally ignored as the characters are blocked out anyway. If you choose to show spaces you can actually help the user track where they are.

Spaces don't add entropy in passphrases but spaces should be encouraged, in combination with a scheme of showing them to the user can help them keep track of where they are in the passphrase. Spaces might not yield more security but they increase memorability and make the passphrase feel natural to the user.